KLS Keeping Law Simple Legislation in plain English

Straight-ahead summaries built from the official bill text. We keep the source links front and center and leave the decision up to you.

Back to Hawaii

SB1038 • 2026

RELATING TO PRIVACY.

RELATING TO PRIVACY.

Privacy
Active

The official status still shows this bill as active or still awaiting another formal step.

Sponsor
LEE, C., CHANG, MCKELVEY, Hashimoto
Last action
2025-12-08
Official status
Carried over to 2026 Regular Session.
Effective date
Not listed

Plain English Breakdown

Using official source text because the generated explanation was unavailable or could not be confirmed against the official bill text.

RELATING TO PRIVACY.

RELATING TO PRIVACY.

What This Bill Does

  • RELATING TO PRIVACY.
  • Privacy; Personal Information; Security Breach; Notice; Identifier; Specified Data Element Adds a definition for "specified data element" and expands the definition of "personal information".
  • Effective 7/1/3000.
  • (HD1)

Limits and Unknowns

  • This entry is temporarily using official source text because the generated explanation could not be confirmed against the official bill text during the last sync.

Amendments

These notes stay tied to the official amendment files and metadata from the legislature.

HD1

1

Hawaii published version HD1

Plain English: SB1038 HD1 THE SENATE S.B.

  • SB1038 HD1 THE SENATE S.B.
  • NO.
  • 1038 THIRTY-THIRD LEGISLATURE, 2025 S.D.
  • 1 STATE OF HAWAII H.D.
SD1

3

Hawaii published version SD1

Plain English: SB1038 SD1 THE SENATE S.B.

  • SB1038 SD1 THE SENATE S.B.
  • NO.
  • 1038 THIRTY-THIRD LEGISLATURE, 2025 S.D.
  • 1 STATE OF HAWAII A BILL FOR AN ACT RELATING TO PRIVACY .

Bill History

  1. 2025-12-08 D

    Carried over to 2026 Regular Session.

  2. 2025-03-19 H

    Passed Second Reading as amended in HD 1 and referred to the committee(s) on CPC with none voting aye with reservations; none voting no (0) and Representative(s) Cochran, Ward excused (2).

  3. 2025-03-19 H

    Reported from ECD (Stand. Com. Rep. No. 1380) as amended in HD 1, recommending passage on Second Reading and referral to CPC.

  4. 2025-03-14 H

    The committee on ECD recommend that the measure be PASSED, WITH AMENDMENTS. The votes were as follows: 6 Ayes: Representative(s) Ilagan, Hussey, Tam, Templo, Todd, Matsumoto; Ayes with reservations: none; 0 Noes: none; and 1 Excused: Representative(s) Holt.

  5. 2025-03-11 H

    Bill scheduled to be heard by ECD on Friday, 03-14-25 10:00AM in House conference room 423 VIA VIDEOCONFERENCE.

  6. 2025-03-06 H

    Referred to ECD, CPC, referral sheet 19

  7. 2025-03-06 H

    Pass First Reading

  8. 2025-03-04 H

    Received from Senate (Sen. Com. No. 244) in amended form (SD 1).

  9. 2025-03-04 S

    Report adopted; Passed Third Reading, as amended (SD 1). Ayes, 25; Aye(s) with reservations: none . Noes, 0 (none). Excused, 0 (none). Transmitted to House.

  10. 2025-02-27 S

    48 Hrs. Notice 03-04-25.

  11. 2025-02-27 S

    Report adopted; Passed Second Reading, as amended (SD 1).

  12. 2025-02-27 S

    Reported from CPN (Stand. Com. Rep. No. 800) with recommendation of passage on Second Reading, as amended (SD 1) and placement on the calendar for Third Reading.

  13. 2025-02-19 S

    The committee(s) on CPN recommend(s) that the measure be PASSED, WITH AMENDMENTS. The votes in CPN were as follows: 3 Aye(s): Senator(s) Keohokalole, Fukunaga, McKelvey; Aye(s) with reservations: none ; 0 No(es): none; and 2 Excused: Senator(s) Richards, Awa.

  14. 2025-02-14 S

    The committee(s) on CPN has scheduled a public hearing on 02-19-25 9:30AM; Conference Room 229 & Videoconference.

  15. 2025-01-23 S

    Referred to CPN.

  16. 2025-01-21 S

    Passed First Reading.

  17. 2025-01-17 S

    Introduced.

Official Summary Text

RELATING TO PRIVACY.
Privacy; Personal Information; Security Breach; Notice; Identifier; Specified Data Element
Adds a definition for "specified data element" and expands the definition of "personal information". Effective 7/1/3000. (HD1)

Current Bill Text

Read the full stored bill text 
SB1038

THE SENATE

S.B. NO.

1038

THIRTY-THIRD LEGISLATURE, 2025

STATE OF HAWAII

A BILL FOR AN ACT

RELATING TO PRIVACY
.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:

����
SECTION 1.
�
The legislature finds that House Concurrent
Resolution No. 225, H.D. 1, S.D. 1, regular session of 2019, convened the
twenty-first century privacy law task force, whose membership consisted of
individuals in government and the private sector having an interest or
expertise in privacy law in the digital era.
�

The concurrent resolution found that public use of the Internet and
related technologies have significantly expanded in recent years and that a
lack of meaningful government regulation has resulted in personal privacy being
compromised.
�
Accordingly, the
legislature requested that the task force examine and make recommendations
regarding existing privacy laws and rules to protect the privacy interests of
the people of the State.

����
The
legislature further finds that, following significant inquiry and discussion,
the task force recommended that the outdated definition of "personal
information" in chapter 487N, Hawaii Revised Statutes, which requires the
public to be notified of data breaches, should be updated and expanded.
�
Many identifying data elements relating to
individuals are collected, and, when exposed to the public in a data breach, can
place an individual at risk of identity theft or may compromise the
individual's personal safety.
�
In its
current form, chapter 487N, Hawaii Revised Statutes, is not comprehensive
enough to cover the additional identifiers.

����
Accordingly,
the purpose of this Act is to update the definition of "personal
information" in chapter 487N, Hawaii Revised Statutes, to include personal
identifiers and specified data elements that are found in more comprehensive
laws.

����
SECTION

2
.
�
Section 487N-1,
Hawaii Revised Statutes, is amended as follows:

����
1.
�
By adding two new definitions to be
appropriately inserted and to read:

����
"
"Identifier" means a common piece of
information related specifically to an individual that is commonly used to
identify the individual across technology platforms, including:

����
(1)
�
A
first name or initial, and last name;

����
(2)
�
A
user name for an online account;

����
(3)
�
A
mobile phone number; or

����
(4)
�
An
email address specific to the individual.

����
"Specified data
element" means any of the following:

����
(1)
�
An
individual's social security number, either in its entirety or the last four or
more digits;

����
(2)
�
Driver's
license number, federal or state identification card number, or passport
number;

����
(3)
�
A
federal individual taxpayer identification number;

����
(4)
�
An
individual's financial account number, or credit or debit card number;

����
(5)
�
A
security code, access code, personal identification number, or password that
would allow access to an individual's account;

����
(6)
�
Unique
biometric data
generated from a measurement or analysis of human body characteristics
used for authentication purposes, including a fingerprint, voice print, retina
or iris image, or other unique physical or digital representation of biometric
data;

����
(7)
�
A
private key that is unique to an individual and is used to authenticate or sign
an electronic record; and

����
(8)
�
Health
insurance policy number, subscriber identification number, medical
identification number, or any other unique number used by a health insurer to
identify a person.

"Specified data element" does
not include medical information that is protected by the Health Insurance
Portability and Accountability Act of 1996 and its enacting regulations or
other applicable federal or state law.
"

����
2.
�
By amending the definition of "personal
information" to read:

����
"
"Personal
information" means an [
individual's first name or first initial and
last name in combination with any one or more of the following data elements,
when either the name or the data elements are not encrypted:

����
(1)
�
Social
security number;

����
(2)
�
Driver's
license number or Hawaii identification card number; or

����
(3)
�
Account
number, credit or debit card number, access code, or password that would permit
access to an individual's financial account.
]

identifier
in combination with one or more specified data elements.
�
"Personal information" does not
include publicly available information that is lawfully made available to the
general public from federal, state, or local government records."

����
SECTION
3
.
�
Section 487N-2, Hawaii Revised Statutes, is
amended by amending subsection (g) to read as follows:

����
"(g)
�

The following businesses shall be deemed to be in compliance with this
section:

����
(1)
�
A
financial institution that is subject to the federal Interagency Guidance on
Response Programs for Unauthorized Access to Customer Information and Customer
Notice published in the Federal Register on March 29, 2005, by the Board of
Governors of the Federal Reserve System, the Federal Deposit Insurance
Corporation, the Office of the Comptroller of the Currency, and the Office of
Thrift Supervision, or subject to
title
12 [
C.F.R. Part
]
Code
of Federal Regulations part
748, and any revisions, additions, or
substitutions relating to the interagency guidance; [
and
]

����
(2)
�
Any
health plan or [
healthcare
]
health care
provider that is subject
to and in compliance with the standards for privacy or individually
identifiable health information and the security standards for the protection
of electronic health information of the Health Insurance Portability and
Accountability Act of 1996[
.
]
; and

����
(3)
�
Any licensee that is subject to the
Insurance Data Security Law, chapter 431, article 3B.
"

����
SECTION 4.
�

This Act does not affect rights and duties that matured, penalties that
were incurred, and proceedings that were begun before its effective date.

����
SECTION 5.
�

Statutory material to be repealed is bracketed and stricken.
�
New statutory material is underscored.

����
SECTION 6.
�

This Act shall take effect on July 1, 2025.

INTRODUCED BY:

_____________________________

Report Title:

Privacy;
Personal Information; Security Breach; Notice; Identifier; Specified Data
Element

Description:

Adds definitions of "identifier" and
"specified data element" and amends the definition of "personal
information" for the purposes of notifying affected persons of data and
security breaches under existing state law that governs the security breach of
personal information.
�
Includes licensees
subject to the Insurance Data Security Law among the businesses deemed
compliant with security breach notice requirements under existing state law.

The summary description
of legislation appearing on this page is for informational purposes only and is
not legislation or evidence of legislative intent.